Update xpdf to 3.01 patch level 2. The patch level addresses a number of

vulnerabilities reported and adds at least some constraint checks not done before.
author: joerg <joerg> 2006-03-29 17:20:09 +0000
committer: joerg <joerg> 2006-03-29 17:20:09 +0000
commit: 054fd818c24e37c7b7c4611c4f9a42ab86a64d07 (patch)
tree: efd8186b8884b095cae9102ddf4228ceb58cad63 /print/xpdf/patches
parent: 0910b68c6b67f19a71f46e95d6fa96dc9e535dac (diff)
download: pkgsrc-054fd818c24e37c7b7c4611c4f9a42ab86a64d07.tar.gz
3 files changed, 1 insertions, 183 deletions
diff --git a/print/xpdf/patches/patch-ao b/print/xpdf/patches/patch-ao
index 52c236062ab..7db03857de9 100644
--- a/print/xpdf/patches/patch-ao
+++ b/print/xpdf/patches/patch-ao
@@ -1,56 +1,7 @@
-$NetBSD: patch-ao,v 1.3 2006/01/22 23:13:33 tron Exp $
+$NetBSD: patch-ao,v 1.4 2006/03/29 17:20:09 joerg Exp $
 
 --- xpdf/JBIG2Stream.cc.orig	2005-08-17 06:34:31.000000000 +0100
 +++ xpdf/JBIG2Stream.cc	2006-01-22 22:48:31.000000000 +0000
-@@ -7,6 +7,7 @@
- //========================================================================
- 
- #include <aconf.h>
-+#include <limits.h>
- 
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -681,9 +682,15 @@
-   w = wA;
-   h = hA;
-   line = (wA + 7) >> 3;
--  // need to allocate one extra guard byte for use in combine()
--  data = (Guchar *)gmalloc(h * line + 1);
--  data[h * line] = 0;
-+
-+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
-+    data = NULL;
-+  }
-+  else {
-+    // need to allocate one extra guard byte for use in combine()
-+    data = (Guchar *)gmalloc(h * line + 1);
-+    data[h * line] = 0;
-+  }
- }
- 
- JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
-@@ -692,6 +699,12 @@
-   w = bitmap->w;
-   h = bitmap->h;
-   line = bitmap->line;
-+
-+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
-+    data = NULL;
-+    return;
-+  }
-+ 
-   // need to allocate one extra guard byte for use in combine()
-   data = (Guchar *)gmalloc(h * line + 1);
-   memcpy(data, bitmap->data, h * line);
-@@ -720,7 +733,7 @@
- }
- 
- void JBIG2Bitmap::expand(int newH, Guint pixel) {
--  if (newH <= h) {
-+  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
-     return;
-   }
-   // need to allocate one extra guard byte for use in combine()
 @@ -2305,6 +2318,15 @@
      error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
      return;
diff --git a/print/xpdf/patches/patch-aq b/print/xpdf/patches/patch-aq
deleted file mode 100644
index 26fca77eb60..00000000000
--- a/print/xpdf/patches/patch-aq
+++ /dev/null
@@ -1,32 +0,0 @@
-$NetBSD: patch-aq,v 1.1 2006/01/22 23:13:33 tron Exp $
-
---- xpdf/JPXStream.cc.orig	2006-01-22 22:52:51.000000000 +0000
-+++ xpdf/JPXStream.cc	2006-01-22 22:48:31.000000000 +0000
-@@ -7,6 +7,7 @@
- //========================================================================
- 
- #include <aconf.h>
-+#include <limits.h>
- 
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -818,13 +819,15 @@
- 	            / img.xTileSize;
-       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
- 	            / img.yTileSize;
--      nTiles = img.nXTiles * img.nYTiles;
-       // check for overflow before allocating memory
--      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
--	error(getPos(), "Bad tile count in JPX SIZ marker segment");
--	return gFalse;
-+      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
-+              img.nXTiles >= INT_MAX/img.nYTiles) {
-+          error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+          return gFalse;
-       }
-+      nTiles = img.nXTiles * img.nYTiles;
-       img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
-+
-       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
- 	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
- 							 sizeof(JPXTileComp));
diff --git a/print/xpdf/patches/patch-at b/print/xpdf/patches/patch-at
deleted file mode 100644
index abe8cbdd061..00000000000
--- a/print/xpdf/patches/patch-at
+++ /dev/null
@@ -1,101 +0,0 @@
-$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $
-
---- xpdf/Stream.cc.orig	2006-01-22 23:03:34.000000000 +0000
-+++ xpdf/Stream.cc	2006-01-22 23:03:00.000000000 +0000
-@@ -15,6 +15,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <stddef.h>
-+#include <limits.h>
- #ifndef WIN32
- #include <unistd.h>
- #endif
-@@ -401,8 +402,6 @@
- 
- StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
- 				 int widthA, int nCompsA, int nBitsA) {
--  int totalBits;
--
-   str = strA;
-   predictor = predictorA;
-   width = widthA;
-@@ -411,15 +410,17 @@
-   predLine = NULL;
-   ok = gFalse;
- 
-+  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-+      nComps >= INT_MAX/nBits ||
-+      width >= INT_MAX/nComps/nBits) {
-+    return;
-+  }
-   nVals = width * nComps;
--  totalBits = nVals * nBits;
--  if (totalBits == 0 ||
--      (totalBits / nBits) / nComps != width ||
--      totalBits + 7 < 0) {
-+  if (nVals * nBits + 7 <= 0) {
-     return;
-   }
-   pixBytes = (nComps * nBits + 7) >> 3;
--  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
-+  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
-   if (rowBytes < 0) {
-     return;
-   }
-@@ -1275,7 +1276,7 @@
-   endOfLine = endOfLineA;
-   byteAlign = byteAlignA;
-   columns = columnsA;
--  if (columns < 1) {
-+  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
-     columns = 1;
-   }
-   rows = rowsA;
-@@ -2922,10 +2923,6 @@
-     error(getPos(), "Bad number of components in DCT stream", prec);
-     return gFalse;
-   }
--  if (numComps <= 0 || numComps > 4) {
--    error(getPos(), "Bad number of components in DCT stream", prec);
--    return gFalse;
--  }
-   if (prec != 8) {
-     error(getPos(), "Bad DCT precision %d", prec);
-     return gFalse;
-@@ -2952,6 +2949,10 @@
-   height = read16();
-   width = read16();
-   numComps = str->getChar();
-+  if (numComps <= 0 || numComps > 4) {
-+    error(getPos(), "Bad number of components in DCT stream", prec);
-+    return gFalse;
-+  }
-   if (prec != 8) {
-     error(getPos(), "Bad DCT precision %d", prec);
-     return gFalse;
-@@ -2974,6 +2975,10 @@
- 
-   length = read16() - 2;
-   scanInfo.numComps = str->getChar();
-+  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
-+    error(getPos(), "Bad number of components in DCT stream");
-+    return gFalse;
-+  }
-   --length;
-   if (length != 2 * scanInfo.numComps + 3) {
-     error(getPos(), "Bad DCT scan info block");
-@@ -3058,12 +3063,12 @@
-   while (length > 0) {
-     index = str->getChar();
-     --length;
--    if ((index & 0x0f) >= 4) {
-+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
-       error(getPos(), "Bad DCT Huffman table");
-       return gFalse;
-     }
-     if (index & 0x10) {
--      index &= 0x0f;
-+      index &= 0x03;
-       if (index >= numACHuffTables)
- 	numACHuffTables = index+1;
-       tbl = &acHuffTables[index];
author	joerg <joerg>	2006-03-29 17:20:09 +0000
committer	joerg <joerg>	2006-03-29 17:20:09 +0000
commit	054fd818c24e37c7b7c4611c4f9a42ab86a64d07 (patch)
tree	efd8186b8884b095cae9102ddf4228ceb58cad63 /print/xpdf/patches
parent	0910b68c6b67f19a71f46e95d6fa96dc9e535dac (diff)
download	pkgsrc-054fd818c24e37c7b7c4611c4f9a42ab86a64d07.tar.gz